944650d3da8b81e951b69bf7572f3069eaa542eb8812d6d5785c9a5dc1e8820d

Analysis

max time kernel
150s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
21/11/2023, 01:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

944650d3da8b81e951b69bf7572f3069eaa542eb8812d6d5785c9a5dc1e8820d.x.exe
Size

5.5MB
MD5

d7bafb9a979dd8d4398e49874b0658a0
SHA1

3bef518b3a2eae1fbc56aa5b464da7476ea7217d
SHA256

944650d3da8b81e951b69bf7572f3069eaa542eb8812d6d5785c9a5dc1e8820d
SHA512

3d6c755d63ab5afbb79161c83a39912270a086cb954ba59b91ad4231a8293c598c2f0d78735c9c2300ff9dcf8653ac0486b68ec4092cec0980b83c0713b619a1
SSDEEP

98304:9QqNNOWs0J5jnfZai4UZ0x+SKzHjn5jJujrqjne1uikKmkww91wjbLHbXpoq:9fN4W/rjhBhZ0Pmn5FpjniSI1ULHdN

Score

8^/10

vmprotect

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	944650d3da8b81e951b69bf7572f3069eaa542eb8812d6d5785c9a5dc1e8820d.x.exe

Executes dropped EXE 2 IoCs

pid	Process
852	Yloux.exe
1336	{F7519EB7-2DA8-4ee3-AC89-BB60BC2C4E68}.exe

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/memory/4504-1-0x00000000005C0000-0x0000000000E75000-memory.dmp	vmprotect
behavioral2/memory/4504-3-0x00000000005C0000-0x0000000000E75000-memory.dmp	vmprotect
behavioral2/memory/4504-33-0x00000000005C0000-0x0000000000E75000-memory.dmp	vmprotect
behavioral2/memory/4504-196-0x00000000005C0000-0x0000000000E75000-memory.dmp	vmprotect

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	Yloux.exe
File opened (read-only)	\??\L:	Yloux.exe
File opened (read-only)	\??\S:	Yloux.exe
File opened (read-only)	\??\V:	Yloux.exe
File opened (read-only)	\??\X:	Yloux.exe
File opened (read-only)	\??\E:	Yloux.exe
File opened (read-only)	\??\G:	Yloux.exe
File opened (read-only)	\??\K:	Yloux.exe
File opened (read-only)	\??\N:	Yloux.exe
File opened (read-only)	\??\R:	Yloux.exe
File opened (read-only)	\??\T:	Yloux.exe
File opened (read-only)	\??\B:	Yloux.exe
File opened (read-only)	\??\J:	Yloux.exe
File opened (read-only)	\??\M:	Yloux.exe
File opened (read-only)	\??\O:	Yloux.exe
File opened (read-only)	\??\U:	Yloux.exe
File opened (read-only)	\??\Z:	Yloux.exe
File opened (read-only)	\??\H:	Yloux.exe
File opened (read-only)	\??\Q:	Yloux.exe
File opened (read-only)	\??\W:	Yloux.exe
File opened (read-only)	\??\Y:	Yloux.exe
File opened (read-only)	\??\P:	Yloux.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\windows\Runn\WindowsTask.exe	944650d3da8b81e951b69bf7572f3069eaa542eb8812d6d5785c9a5dc1e8820d.x.exe
File created	C:\windows\Runn\DuiLib_u.dll	944650d3da8b81e951b69bf7572f3069eaa542eb8812d6d5785c9a5dc1e8820d.x.exe
File created	C:\windows\Runn\sqlite3.dll	944650d3da8b81e951b69bf7572f3069eaa542eb8812d6d5785c9a5dc1e8820d.x.exe
File created	C:\windows\Runn\Yloux.exe	944650d3da8b81e951b69bf7572f3069eaa542eb8812d6d5785c9a5dc1e8820d.x.exe
File created	C:\windows\Runn\1.bin	944650d3da8b81e951b69bf7572f3069eaa542eb8812d6d5785c9a5dc1e8820d.x.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings	944650d3da8b81e951b69bf7572f3069eaa542eb8812d6d5785c9a5dc1e8820d.x.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\EditFlags = "1700530177"	{F7519EB7-2DA8-4ee3-AC89-BB60BC2C4E68}.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4504	944650d3da8b81e951b69bf7572f3069eaa542eb8812d6d5785c9a5dc1e8820d.x.exe
4504	944650d3da8b81e951b69bf7572f3069eaa542eb8812d6d5785c9a5dc1e8820d.x.exe
852	Yloux.exe
852	Yloux.exe
852	Yloux.exe
852	Yloux.exe
852	Yloux.exe
852	Yloux.exe
852	Yloux.exe
852	Yloux.exe
852	Yloux.exe
852	Yloux.exe
852	Yloux.exe
852	Yloux.exe
852	Yloux.exe
852	Yloux.exe
852	Yloux.exe
852	Yloux.exe
852	Yloux.exe
852	Yloux.exe
852	Yloux.exe
852	Yloux.exe
852	Yloux.exe
852	Yloux.exe
852	Yloux.exe
852	Yloux.exe
852	Yloux.exe
852	Yloux.exe
852	Yloux.exe
852	Yloux.exe
852	Yloux.exe
852	Yloux.exe
852	Yloux.exe
852	Yloux.exe
852	Yloux.exe
852	Yloux.exe
852	Yloux.exe
852	Yloux.exe
852	Yloux.exe
852	Yloux.exe
852	Yloux.exe
852	Yloux.exe
852	Yloux.exe
852	Yloux.exe
852	Yloux.exe
852	Yloux.exe
852	Yloux.exe
852	Yloux.exe
852	Yloux.exe
852	Yloux.exe
852	Yloux.exe
852	Yloux.exe
852	Yloux.exe
852	Yloux.exe
852	Yloux.exe
852	Yloux.exe
852	Yloux.exe
852	Yloux.exe
852	Yloux.exe
852	Yloux.exe
852	Yloux.exe
852	Yloux.exe
852	Yloux.exe
852	Yloux.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
852	Yloux.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4504 wrote to memory of 852	4504	944650d3da8b81e951b69bf7572f3069eaa542eb8812d6d5785c9a5dc1e8820d.x.exe	94
PID 4504 wrote to memory of 852	4504	944650d3da8b81e951b69bf7572f3069eaa542eb8812d6d5785c9a5dc1e8820d.x.exe	94

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\944650d3da8b81e951b69bf7572f3069eaa542eb8812d6d5785c9a5dc1e8820d.x.exe
"C:\Users\Admin\AppData\Local\Temp\944650d3da8b81e951b69bf7572f3069eaa542eb8812d6d5785c9a5dc1e8820d.x.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4504
- C:\windows\Runn\Yloux.exe
  "C:\windows\Runn\Yloux.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:852

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4532

C:\Users\Admin\AppData\Local\Temp\{F7519EB7-2DA8-4ee3-AC89-BB60BC2C4E68}.exe
"C:\Users\Admin\AppData\Local\Temp\{F7519EB7-2DA8-4ee3-AC89-BB60BC2C4E68}.exe" /s "C:\Users\Admin\AppData\Local\Temp\\{F3BCAA1F-174B-47e6-898B-FAC132650FA3}"
1⤵
- Executes dropped EXE
- Modifies registry class
PID:1336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RegWorkshop.ini

Filesize
2KB

MD5
ff0c7c2667dff4f3ed588f40d047c642

SHA1
1162c83bd0bb0d81b7ab7f616cb012b790aa4adf

SHA256
02af5cb061fd8075e9475c45ab20e86cf2bb4ca9511ddad348645ed5183b9fc7

SHA512
539b1d443232758b6c60a287f2a40200e6e3ba7353f11f18e29ba265c9569a4610e4a80910f79660368a916576ab9c486efa248bf3257e522ef5bfb3d42ef3c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegWorkshop.ini

Filesize
608B

MD5
55d1627bea5addf4296612b436900a61

SHA1
3f0ea9fb88563c29384eb214412a204f55ca5804

SHA256
feb49600defcb05167967c9d27ad90d5b465222f038fd23f18baaadc546c8d65

SHA512
82f27ac52a42b91850b9e8df25b3d2ac61618641b23451697251a2236ed097bbc7e2d716a65b523639900c25113482706c89c120deeb1c958eccc3a8915d0df7

Download Submit
C:\Users\Admin\AppData\Local\Temp\{F3BCAA1F-174B-47e6-898B-FAC132650FA3}

Filesize
215B

MD5
5bd3a4f7a0295ff3cc9553d1f8267013

SHA1
476727e5c09ae93ad62b57a023bfc8535ec9bd0a

SHA256
51c290e1d323f953dd7380d2fc24ac515e0ad7064da29bbcf75bf7ae5430fb65

SHA512
cc183cd58d6f7fc74b18e27a40e0814eb56bd5a1774b9cb6ef371eef92a7f3c1645a6bf7f1f59789729138f674b470181d80709aff24f03ff3a86a531e18a284

Download Submit
C:\Users\Admin\AppData\Local\Temp\{F7519EB7-2DA8-4ee3-AC89-BB60BC2C4E68}.exe

Filesize
1.0MB

MD5
217dc98e219a340cb09915244c992a52

SHA1
a04f101ca7180955d62e4a1aaeccdcca489209da

SHA256
27c8bd76150ddda5b09d6db11f67269cee2eecac345df67f93aab3e3aaabde7c

SHA512
dddc15992533c8c13000163c7dd59b20e2fbdedbf611338c04f6f9209ec1a95d1f93aaeeae2778890214d333320978f5d2554348722ea6c8489320f0ef1c4c85

Download Submit
C:\Users\Admin\AppData\Local\Temp\{F7519EB7-2DA8-4ee3-AC89-BB60BC2C4E68}.exe

Filesize
1.0MB

MD5
217dc98e219a340cb09915244c992a52

SHA1
a04f101ca7180955d62e4a1aaeccdcca489209da

SHA256
27c8bd76150ddda5b09d6db11f67269cee2eecac345df67f93aab3e3aaabde7c

SHA512
dddc15992533c8c13000163c7dd59b20e2fbdedbf611338c04f6f9209ec1a95d1f93aaeeae2778890214d333320978f5d2554348722ea6c8489320f0ef1c4c85

Download Submit
C:\Windows\Runn\Yloux.exe

Filesize
324KB

MD5
f64170c793fb8568738cfd1857783a9d

SHA1
7f1acc4459e99996f025896894d697b7c2f0b84d

SHA256
4928635e712fdfd584eb5d25278e42e69eb7ab6c12bc3c1fca95a0f71692c33d

SHA512
3059de955d256c098a84e71d04a31e81eeac8c2893971fabe8d4e18f0986241460911f455d00f5693720bc13c0edbe3c421d7f88788bc10027a75cf97a13b218

Download Submit
C:\Windows\Runn\Yloux.exe

Filesize
324KB

MD5
f64170c793fb8568738cfd1857783a9d

SHA1
7f1acc4459e99996f025896894d697b7c2f0b84d

SHA256
4928635e712fdfd584eb5d25278e42e69eb7ab6c12bc3c1fca95a0f71692c33d

SHA512
3059de955d256c098a84e71d04a31e81eeac8c2893971fabe8d4e18f0986241460911f455d00f5693720bc13c0edbe3c421d7f88788bc10027a75cf97a13b218

Download Submit
C:\windows\Runn\1.bin

Filesize
378KB

MD5
5a189470b11373b448bace9315c0f6ac

SHA1
add6f55b32662ace0599c28230fcc8b0f6f1042f

SHA256
f6b365099879bf8eee77206451634992da91e76c69606ccfcbc12a927c02873a

SHA512
6f0d8b3ad532bf22045cbb3362355711ce7c6d2a09c5b546572084eda12c0fab31d7fdd1f3ff22d016108f1ca5aa1b4ceefd2e5f904bf4d96cfc3291ac9dc09e

Download Submit
C:\windows\Runn\Yloux.exe

Filesize
324KB

MD5
f64170c793fb8568738cfd1857783a9d

SHA1
7f1acc4459e99996f025896894d697b7c2f0b84d

SHA256
4928635e712fdfd584eb5d25278e42e69eb7ab6c12bc3c1fca95a0f71692c33d

SHA512
3059de955d256c098a84e71d04a31e81eeac8c2893971fabe8d4e18f0986241460911f455d00f5693720bc13c0edbe3c421d7f88788bc10027a75cf97a13b218

Download Submit
memory/852-193-0x0000000003060000-0x00000000030A2000-memory.dmp

Filesize
264KB

Download
memory/852-197-0x0000000003060000-0x00000000030A2000-memory.dmp

Filesize
264KB

Download
memory/852-41-0x0000000180000000-0x0000000180066000-memory.dmp

Filesize
408KB

Download
memory/852-40-0x0000000180000000-0x0000000180066000-memory.dmp

Filesize
408KB

Download
memory/852-47-0x0000000180000000-0x0000000180066000-memory.dmp

Filesize
408KB

Download
memory/852-48-0x0000000180000000-0x0000000180066000-memory.dmp

Filesize
408KB

Download
memory/852-34-0x0000000180000000-0x0000000180066000-memory.dmp

Filesize
408KB

Download
memory/852-205-0x0000000003060000-0x00000000030A2000-memory.dmp

Filesize
264KB

Download
memory/852-28-0x00000000009F0000-0x0000000000AF0000-memory.dmp

Filesize
1024KB

Download
memory/852-203-0x00000000009F0000-0x0000000000AF0000-memory.dmp

Filesize
1024KB

Download
memory/852-200-0x0000000180000000-0x0000000180066000-memory.dmp

Filesize
408KB

Download
memory/852-199-0x0000000180000000-0x0000000180066000-memory.dmp

Filesize
408KB

Download
memory/852-190-0x0000000180000000-0x0000000180066000-memory.dmp

Filesize
408KB

Download
memory/852-192-0x0000000003060000-0x00000000030A2000-memory.dmp

Filesize
264KB

Download
memory/852-191-0x00000000025A0000-0x00000000025DC000-memory.dmp

Filesize
240KB

Download
memory/852-44-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/852-194-0x0000000003060000-0x00000000030A2000-memory.dmp

Filesize
264KB

Download
memory/852-198-0x0000000003060000-0x00000000030A2000-memory.dmp

Filesize
264KB

Download
memory/4504-196-0x00000000005C0000-0x0000000000E75000-memory.dmp

Filesize
8.7MB

Download
memory/4504-0-0x00000000014B0000-0x00000000014B1000-memory.dmp

Filesize
4KB

Download
memory/4504-3-0x00000000005C0000-0x0000000000E75000-memory.dmp

Filesize
8.7MB

Download
memory/4504-5-0x0000000003260000-0x00000000035DD000-memory.dmp

Filesize
3.5MB

Download
memory/4504-1-0x00000000005C0000-0x0000000000E75000-memory.dmp

Filesize
8.7MB

Download
memory/4504-6-0x0000000010000000-0x0000000010381000-memory.dmp

Filesize
3.5MB

Download
memory/4504-33-0x00000000005C0000-0x0000000000E75000-memory.dmp

Filesize
8.7MB

Download